WhatsApp Spyware: Paragon Targets Journalists via iPhone

Table of Contents

1. What Is Paragon and Its Graphite Spyware
2. How the Attack Worked: Two Zero-Click Vectors
3. Who Was Targeted: Confirmed Victims and Countries
4. How to Check If You’re Affected and Protect Yourself
5. Common Questions — WhatsApp Spyware iPhone Paragon 2026
6. Conclusion

Israeli surveillance firm Paragon Solutions deployed its Graphite spyware against at least 90 journalists, activists, and civil society members using WhatsApp and Apple’s iMessage — and the attack went undetected for months. The operation was disclosed on January 31, 2025, when WhatsApp sent a cease-and-desist letter to Paragon and notified targeted users, referring them to Citizen Lab for forensic investigation. Follow-up research confirmed that the whatsapp spyware iphone paragon campaign targeted victims in at least six countries, using two distinct zero-click attack vectors. Here is a complete breakdown of what happened, who was targeted, and how to protect yourself.

What Is Paragon and Its Graphite Spyware

Paragon Solutions is an Israeli private surveillance company founded in 2019 by former IDF Unit 8200 commander Ehud Schneorson, alongside CEO Idan Nurick, CTO Igor Bogudlov, and Chief Research Officer Liad Abraham. Former Israeli Prime Minister Ehud Barak is a co-founder and investor. In 2024, U.S. private equity firm AE Industrial Partners acquired Paragon in a deal valued at up to $900 million.

Paragon markets Graphite as a “lawful intercept” tool sold only to vetted government clients — positioning it as an ethically constrained alternative to NSO Group’s Pegasus spyware. However, the WhatsApp disclosure and subsequent Citizen Lab forensic reports cast doubt on those claims. The Trump administration reactivated a $2 million contract with Paragon through ICE (U.S. Immigration and Customs Enforcement) in 2025, despite the ongoing controversy.

Citizen Lab identified six likely government customers of Graphite: Australia, Canada, Cyprus, Denmark, Israel, and Singapore.

How the Attack Worked: Two Zero-Click Vectors

The Graphite operation used two separate exploitation paths, neither of which required the target to click a link or open a file:

Vector 1 — WhatsApp (January 2025): Paragon exploited a zero-day vulnerability in WhatsApp to silently push a malicious PDF to victim devices via WhatsApp group chats. The exploit triggered on delivery without any interaction from the target. WhatsApp patched this vulnerability and notified approximately 90 affected users on January 31, 2025.

Vector 2 — Apple iMessage/iCloud (CVE-2025-43200): A zero-click vulnerability in Apple’s Messages app was exploited by delivering maliciously crafted media shared through iCloud links. Devices running iOS 18.2.1 were compromised during infection periods documented between December 22, 2024 and early February 2025. Apple patched CVE-2025-43200 in iOS 18.3.1 on February 10, 2025.

Once installed, Graphite can:

• Read encrypted messages from WhatsApp, Signal, Telegram, and iMessage
• Access emails, contacts, photos, and documents
• Activate the microphone and camera
• Track location in real time
• Persist across device reboots in some configurations

According to research published by Citizen Lab on June 12, 2025, Graphite infections were forensically confirmed on multiple devices belonging to Italian journalists.

Who Was Targeted: Confirmed Victims and Countries

The confirmed victims are primarily journalists and civil society activists. Named individuals include:

• Francesco Cancellato — Editor-in-chief of Fanpage.it (Italy), targeted via WhatsApp.
• Ciro Pellegrino — Journalist, also at Fanpage.it, targeted.
• Luca Casarini — Humanitarian activist with Mediterranea Saving Humans (Italy), device infected December 22, 2024 – January 31, 2025.
• Giuseppe Caccia — Also affiliated with Mediterranea, infected December 23, 2024.
• Two additional journalists notified by Apple on April 29, 2025, after the iOS 18.3.1 patch.

The approximately 90 users notified by WhatsApp span multiple countries. Italy was the most publicly documented target nation, but Citizen Lab’s government-customer list suggests the tool was also active in Australia, Canada, Cyprus, Denmark, and Singapore. For more on digital surveillance and privacy threats, see our Security coverage.

How to Check If You’re Affected and Protect Yourself

Most journalists and activists will not be targets of nation-state spyware. However, if you work in sensitive journalism, civil society, or opposition politics in any country with known Paragon ties, take these steps:

Immediate actions (everyone):

• Update iOS immediately — iOS 18.3.1 (released February 10, 2025) patches CVE-2025-43200. Go to Settings → General → Software Update.
• Update WhatsApp — Install the latest WhatsApp version from the App Store or Google Play to receive the patch for the zero-day exploit used in this campaign.
• Enable Lockdown Mode (iOS) — For high-risk individuals, Apple’s Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) dramatically reduces the attack surface for zero-click exploits by restricting message previews, link previews, and JavaScript in Safari.

Detection steps for high-risk individuals:

• Request an iVerify scan — iVerify (by Trail of Bits) is a mobile security app that performs threat detection scans for known spyware indicators on iOS and Android. It identified Graphite infections in the Paragon campaign.
• Contact Citizen Lab or Access Now — Both organizations offer free digital security support to journalists and civil society members. Citizen Lab’s forensic methodology confirmed the Graphite infections in Italy. Access Now’s Digital Security Helpline is available at accessnow.org.
• Check for Apple threat notifications — Apple sends threat notifications to users it believes have been targeted by mercenary spyware. These appear as alerts in your Apple ID account and via email. Apple notified some Paragon victims on April 29, 2025.

Long-term protective measures:

• Use Signal for sensitive communications (Signal has stronger protections against metadata analysis).
• Avoid opening unexpected files, links, or media from unknown senders in any messaging app.
• Regularly reboot your device — some Graphite versions lose persistence after a reboot.
• Keep all apps and iOS updated; zero-click exploits depend on unpatched vulnerabilities.

For broader guidance on digital privacy, explore our How-to guides covering privacy tools, VPNs, and secure communication setups.

Common Questions — WhatsApp Spyware iPhone Paragon 2026

Q: Is Paragon Graphite the same as Pegasus spyware?

A: No, Graphite and Pegasus are different spyware products from different companies. Pegasus is developed by Israel’s NSO Group and has been documented targeting human rights defenders, journalists, and politicians across dozens of countries since at least 2016. Graphite is developed by Paragon Solutions, a newer Israeli firm founded in 2019. Both are sold to government clients as “lawful intercept” tools, but Graphite markets itself as having stricter usage controls than Pegasus.

Q: If I’m not a journalist, should I be worried about Paragon Graphite?

A: The current documented victims are journalists, activists, and civil society members in countries where Paragon has government clients. For the average user, the risk of being directly targeted by Graphite is extremely low. However, everyone benefits from keeping iOS and WhatsApp updated, as the underlying vulnerabilities (CVE-2025-43200 and the WhatsApp zero-day) can theoretically be exploited by other threat actors using similar techniques.

Q: Did Apple or WhatsApp do enough to protect users?

A: Both companies responded after disclosure: Apple patched CVE-2025-43200 in iOS 18.3.1 within weeks of being notified, and WhatsApp patched its zero-day and sent cease-and-desist letters to Paragon. Critics argue that the broader issue — commercial spyware vendors selling to governments with poor human rights records — requires regulatory action beyond what individual companies can address. The European Parliament and multiple NGOs have called for an international ban on commercial mercenary spyware.

Q: Can Android phones be infected by Graphite?

A: Citizen Lab’s April 2026 research primarily documented Graphite infections on iPhone. However, Paragon and similar surveillance vendors typically develop capabilities for both iOS and Android platforms. Keeping Android updated and using Google Play Protect are the best current defenses. iVerify has an Android version that can run detection scans similar to its iOS product.

Conclusion

The Paragon Graphite campaign is the latest reminder that commercial spyware is a growing global threat to press freedom and civil society. Three key takeaways:

• Update immediately — iOS 18.3.1 and the latest WhatsApp patch both address vulnerabilities exploited in this campaign.
• High-risk individuals should enable Lockdown Mode — Apple’s Lockdown Mode provides significant protection against zero-click exploits for those who need it.
• Citizen Lab and Access Now offer free help — If you believe you may be targeted, contact these organizations before assuming your device is clean.

Stay ahead of emerging threats — follow our Security category for the latest CVEs, spyware disclosures, and protective guides.

Last Updated: April 13, 2026